Version Details and Security Vulnerabilities

📦

@nuxtjs/i18n

7.3.1

Comparision Betweeen 7.3.1 and 7.3.0

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

Unpacked Size

80.15 KB

79.43 KB

Security Vulnerabilities

This site is an independent open-source project and is not affiliated with, endorsed by, or sponsored by npm, Inc. or GitHub, Inc. The name “npm” is a registered trademark of npm, Inc., used here solely to describe compatibility and reference publicly available npm package data.

Version Details and Security Vulnerabilities

📦

@nuxtjs/i18n

7.3.1

Comparision Betweeen 7.3.1 and 7.3.0

Identify the differences between the current version of the package and the previous one.

Version

Dependencies

Dev Dependencies

Peer Dependencies

Distributed Files

Unpacked Size

80.15 KB

79.43 KB

Security Vulnerabilities

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 7.3.1 of the package @nuxtjs/i18n.

All Security Vulnerabilities

All the vulnerabilities related to the version 7.3.1 of the package

Summary:

cookie accepts cookie name, path, and domain with out of bounds characters

Details:

Impact

The cookie name could be used to set other fields of the cookie, resulting in an unexpected cookie value. For example, serialize("userName=<script>alert('XSS3')</script>; Max-Age=2592000; a", value) would result in "userName=<script>alert('XSS3')</script>; Max-Age=2592000; a=test", setting userName cookie to <script> and ignoring value.

A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie.

Patches

Upgrade to 0.7.0, which updates the validation for name, path, and domain.

Workarounds

Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.

References

https://github.com/jshttp/cookie/pull/167

Details about cookie@0.5.0

Summary:

devalue prototype pollution vulnerability

Details:

1. `devalue.parse` allows `proto` to be set

A string passed to devalue.parse could represent an object with a __proto__ property, which would assign a prototype to an object while allowing properties to be overwritten:

class Vector {
  constructor(x, y) {
    this.x = x;
    this.y = y;
  }

  get magnitude() {
    return (this.x ** 2 + this.y ** 2) ** 0.5;
  }
}

const payload = `[{"x":1,"y":2,"magnitude":3,"__proto__":4},3,4,"nope",["Vector",5],[6,7],8,9]`;

const vector = devalue.parse(payload, {
  Vector: ([x, y]) => new Vector(x, y)
});

console.log("Is vector", vector instanceof Vector); // true
console.log(vector.x) // 3
console.log(vector.y) // 4
console.log(vector.magnitude); // "nope" instead of 5

2. `devalue.parse` allows array prototype methods to be assigned to object

In a payload constructed with devalue.stringify, values are represented as array indices, where the array contains the 'hydrated' values:

devalue.stringify({ message: 'hello' }); // [{"message":1},"hello"]

devalue.parse does not check that an index is numeric, which means that it could assign an array prototype method to a property instead:

const object = devalue.parse('[{"toString":"push"}]');
object.toString(); // 0

This could be used by a creative attacker to bypass server-side validation.

Details about devalue@2.0.1

Security Details

Comprehensive list of direct or transitive vulnerabilities for version 7.3.1 of the package @nuxtjs/i18n.

All Security Vulnerabilities

All the vulnerabilities related to the version 7.3.1 of the package

Summary:

cookie accepts cookie name, path, and domain with out of bounds characters

Details:

Impact

A similar escape can be used for path and domain, which could be abused to alter other fields of the cookie.

Patches

Upgrade to 0.7.0, which updates the validation for name, path, and domain.

Workarounds

Avoid passing untrusted or arbitrary values for these fields, ensure they are set by the application instead of user input.

References

https://github.com/jshttp/cookie/pull/167

Details about cookie@0.5.0

Summary:

devalue prototype pollution vulnerability

Details:

1. `devalue.parse` allows `proto` to be set

A string passed to devalue.parse could represent an object with a __proto__ property, which would assign a prototype to an object while allowing properties to be overwritten:

class Vector {
  constructor(x, y) {
    this.x = x;
    this.y = y;
  }

  get magnitude() {
    return (this.x ** 2 + this.y ** 2) ** 0.5;
  }
}

const payload = `[{"x":1,"y":2,"magnitude":3,"__proto__":4},3,4,"nope",["Vector",5],[6,7],8,9]`;

const vector = devalue.parse(payload, {
  Vector: ([x, y]) => new Vector(x, y)
});

console.log("Is vector", vector instanceof Vector); // true
console.log(vector.x) // 3
console.log(vector.y) // 4
console.log(vector.magnitude); // "nope" instead of 5

2. `devalue.parse` allows array prototype methods to be assigned to object

In a payload constructed with devalue.stringify, values are represented as array indices, where the array contains the 'hydrated' values:

devalue.stringify({ message: 'hello' }); // [{"message":1},"hello"]

devalue.parse does not check that an index is numeric, which means that it could assign an array prototype method to a property instead:

const object = devalue.parse('[{"toString":"push"}]');
object.toString(); // 0

This could be used by a creative attacker to bypass server-side validation.

Details about devalue@2.0.1

Version Details and Security Vulnerabilities

@nuxtjs/i18n

Comparision Betweeen 7.3.1 and 7.3.0

Security Vulnerabilities

Version Details and Security Vulnerabilities

@nuxtjs/i18n

Comparision Betweeen 7.3.1 and 7.3.0

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Impact

Patches

Workarounds

References

1. `devalue.parse` allows `proto` to be set

2. `devalue.parse` allows array prototype methods to be assigned to object

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

Impact

Patches

Workarounds

References

1. `devalue.parse` allows `proto` to be set

2. `devalue.parse` allows array prototype methods to be assigned to object

Version Details and Security Vulnerabilities

@nuxtjs/i18n

Comparision Betweeen 7.3.1 and 7.3.0

Security Vulnerabilities

Version Details and Security Vulnerabilities

@nuxtjs/i18n

Comparision Betweeen 7.3.1 and 7.3.0

Security Vulnerabilities

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

cookie@0.5.0 GHSA-pxg6-pf52-xh8x N/A

Impact

Patches

Workarounds

References

devalue@2.0.1 GHSA-vj54-72f3-p5jv 7.9

1. devalue.parse allows __proto__ to be set

2. devalue.parse allows array prototype methods to be assigned to object

Security Details

All

Transitive Dependencies

Package

All Security Vulnerabilities

cookie@0.5.0 GHSA-pxg6-pf52-xh8x N/A

Impact

Patches

Workarounds

References

devalue@2.0.1 GHSA-vj54-72f3-p5jv 7.9

1. devalue.parse allows __proto__ to be set

2. devalue.parse allows array prototype methods to be assigned to object

1. `devalue.parse` allows `proto` to be set

2. `devalue.parse` allows array prototype methods to be assigned to object

1. `devalue.parse` allows `proto` to be set

2. `devalue.parse` allows array prototype methods to be assigned to object